Data Privacy & Cybersecurity Compliance

Our team helps companies develop comprehensive compliance programs and assess risks in mergers and acquisitions.

Data privacy and cybersecurity issues are complex, with laws and requirements differing between countries as well as between states. Our team advises companies, boards of directors, and executives on the myriad of international, federal, and state data privacy and cybersecurity laws and regulations regarding the collection, use, disclosure, and security of personal information. We provide practical advice that balances compliance with business operations across industries, including those that are highly regulated and highly visible, such as financial services, health care, technology, and retail. Our team’s core experience includes:

  • Assessment and development of comprehensive privacy and security policies, including data mapping and inventory, gap assessments, privacy impacts, and privacy-by-design
  • Cross-border transfers of data
  • Compliance with laws and regulations relating to specific subject matter, geographies, and industries, including the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), Telephone Consumer Protection Act (TCPA), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Family Educational Rights and Privacy Act (FERPA), Biometric Information Protection Act (BIPA), Gramm-Leach-Bliley Act (GLBA), Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM), Computer Fraud and Abuse Act (CFAA), Children’s Online Privacy Protection Act (COPPA), Electronic Communication Privacy Act (ECPA), Fair Credit Reporting Act (FCRA), and Fair Debt Collection Practices Act (FDCPA)
  • Vendor management programs
  • Monitoring new and amended statutes and regulations internationally and nationally
  • Mergers and acquisitions (M&A), private equity investments, licensing, technology transfers, and other corporate transactions

CCPA and State Consumer Privacy Laws

The CCPA imposes new obligations in U.S. data privacy and security legislation. Our team guides businesses through the latest privacy protection legislation and compliance with the CCPA and defends them, if necessary, when litigation or enforcement actions ensue.

We routinely advise companies on compliance with the CCPA and other similar state statutes to ensure consumer personal information is collected, maintained, used, and shared appropriately.

We continuously track ongoing developments of the statute, including the California attorney general (AG) regulations, amendments to the statute, and how the provisions are being enforced by the AG and applied by the courts. We are also tracking similar laws and regulations in other states and offering proactive compliance and risk assessment.

Representative Experience

Compliance Experience

  • Built enterprise-wide privacy and security framework for startup companies in the health care industry
  • Provide ongoing privacy and security compliance counsel to a large utility provider
  • Counseled a pharmaceutical company on data privacy and security issues, including providing employee privacy training
  • Developed and implemented website privacy policies and terms and conditions of use for numerous clients in various industries
  • Advised clients in various industries, including financial services, health care, marketing, retail, and education, on compliance with the TCPA, including conducting audits, developing compliant policies and procedures, and vendor management
  • Counseled higher education institution on HIPAA and state data privacy laws involving college wellness center, including advising on how to stay under FERPA regulation and not trigger HIPAA regulation
  • Draft and modify HIPAA compliance programs for health care entities and train workforces on HIPAA compliance
  • Assist health systems and hospital/physician arrangements structure themselves as affiliated covered entities or organized health care arrangements under HIPAA
  • Advised various clients on employment privacy issues, including background checks and FCRA compliance
  • Assisting clients in updating their policies, procedures, websites, and employee training to comply with the CCPA
  • Advising clients regarding adjusting their business models and contractual relationships to minimize CCPA risk
  • Advised an international retailer on adapting GDPR-compliance processes and procedures for compliance with the CCPA
  • Advised a professional sports organization on compliance with the GDPR in connection with its e-commerce websites
  • Advising a financial institution on compliance with the CCPA and copycat state regulations
  • Advised an event management and marketing company on compliance with the GDPR, as a processor, and the CCPA
  • Providing enterprise-wide CCPA-compliance counsel to clients in various industries, including technology, financial institutions, retail, marketing, food and beverage, event planning, higher education, edtech, health care, franchising, and manufacturing
  • Advising international businesses on adapting GDPR-compliance measures to incorporate policies and procedures for CCPA compliance
  • Advising a leading financial institution on compliance with the CCPA’s GLBA exemption
  • Advised a federal credit union on compliance with the privacy and security provisions of the GLBA
  • Advised clients in various industries in connection with data processing addendum (DPA) under the GDPR

Transactional/Strategic Counseling Experience

  • Conducted due diligence and advised client on the acquisition of local media companies that had recently suffered a data breach
  • Advised investment firms on data privacy and security issues in connection with various investments in the technology and consumer goods industries
  • Led vendor management, including negotiation of all privacy and cybersecurity provisions, on behalf of a professional sports organization
  • Conduct data privacy and cybersecurity due diligence for various corporate transactions
  • Work with HIPAA-covered entities and business associates to negotiate contractual provisions regarding data breach requirements and indemnification provisions
  • Draft and negotiate HIPAA business associate agreements, data-related modifications to subscription agreements, and non-disclosure agreements (NDAs) for health care and health IT companies
  • Draft and negotiate DPA
  • Advise health care entities on the transfer of, or access to, medical records in physician practice acquisitions

Incident response plans critical for any organization

Rochester Business Journal | October 23, 2020

The following article in Rochester Business Journal’s special report on Cybersecurity quote Data Privacy & Cybersecurity deputy team leader and Rochester associate Jenny Holmes for her insights on state, federal and international cybersecurity laws, and legal best practices on selecting a cloud computing service provider and putting together an incident response plan.

Transitioning to cloud-based services: Due diligence is key

Rochester Business Journal | October 23, 2020

The following article in Rochester Business Journal’s special report on Cybersecurity quote Data Privacy & Cybersecurity deputy team leader and Rochester associate Jenny Holmes for her insights on state, federal and international cybersecurity laws, and legal best practices on selecting a cloud computing service provider and putting together an incident response plan.

5 ERISA Cases To Watch In The 2nd Half Of 2020

Law360 | July 29, 2020

San Francisco office managing partner and Corporate partner Karen Ng was quoted in this article for her outlook on the federal government’s interest in Howard Jarvis Taxpayers Association v. California Secure Choice Retirement Savings Program, and the rise in ERISA privacy and cybersecurity lawsuits in Harmon et al. v. Shell Oil Co. et al.

ANALYSIS | 42 CFR Part 2 Rules Changes a Welcome Sign for Many Providers

Behavioral Healthcare Executive | July 22, 2020

This story features New York City Health Care associate Jena Grady for her outlook on the Department of Health & Human Services’ Substance Abuse and Mental Health Services Administration’s final rule to 42 CFR Part 2 relating to substance use disorders.

Biggest Illinois Decisions So Far in 2020: Midyear Report

Law360 | July 16, 2020

This article includes commentary from Chicago Complex Commercial Disputes partners John Ruskusky and Seth Horvath on some of the most noteworthy Illinois decisions thus far in 2020. John discusses a decision related to the Illinois Biometric Information Privacy Act, while Seth comments on a decision regarding parents suing paint makers for children’s lead test costs, as well as a ruling on a record destruction provision in the Chicago police union contract.

California data security law to have widespread impact

Rochester Business Journal | November 29, 2019

Rochester Corporate associate Jenny Holmes talks to the Rochester Business Journal for their special report on the impact of the California Consumer Privacy Act, which goes into effect January 1. Jenny anticipates that companies will have to comply with the strictest state law on the books if Congress does not pass a federal law.

Keep up with laws developing to protect our consumer data

Rochester Business Journal | November 15, 2019

In the latest installment of his monthly column, Rochester Corporate partner Jeremy Wolk analyzes state-level legislation aimed at enhancing consumer privacy rights and protections, similar to the European Union’s General Data Protection Regulation. Rochester Corporate associate Jenny Holmes contributed to the column.

Problems with the California Consumer Privacy Act

Los Angeles/San Francisco Daily Journal | January 23, 2019

Los Angeles Government Investigations and White Collar Defense partner Jason Gonzalez and associate Karina Puttieva co-wrote this contributed article identifying issues with the “remarkably unclear” California Consumer Privacy Act, a measure passed last year that regulates large businesses businesses who buy, sell or share consumers’ personal information.

Back to top